Share via

Azure AD Access via RBAC

Dave O'Donohoe 170 Reputation points
2023-08-14T09:50:09.03+00:00

Hi,

I am trying to provide read-only access into Azure AD, ideally similar to Security Reader, via RBAC.

I have extracted the mentioned permissions from Security Reader role, per below KB, and created a custom RBAC role.

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#security-reader

And assigned to my users, however they still recieve the following error:

{  "shellProps": {    "sessionId": "3a061a6d30b54d9398ecf961c38f5aab",    "extName": "Microsoft_AAD_IAM",    "contentName": "ActiveDirectoryMenuBlade",    "code": 403  },  "error": {    "message": "No access",    "code": 403  }}

Could someone assist in terms of the specific RBAC JSON parametres required for read-only access into Azure AD?

Thanks.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Akshay-MSFT 17,951 Reputation points Microsoft Employee Moderator
    2023-09-04T11:21:17.3633333+00:00

    @Dave O'Donohoe ,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: Provide users read-only access into Azure AD via RBAC and getting error {  "shellProps": {    "sessionId": "3a061a6d30b54d9398ecf961c38f5aab",    "extName": "Microsoft_AAD_IAM",    "contentName": "ActiveDirectoryMenuBlade",    "code": 403  },  "error": {    "message": "No access",    "code": 403  }}

    Solution: It is not possible to assign RBAC to facilitate access to admin Azure AD (portal). It must be done via AAD built-in or custom roles. It is also not possible to assign AAD custom or built-in roles to groups created / sync'd from on-prem.

    If you have any other questions or are still running into more issues, please let me know.
    Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    Thanks,

    Akshay Kaushik

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave O'Donohoe 170 Reputation points
    2023-08-18T08:31:05.4033333+00:00

    I logged a call with MS support, it is not possible to assign RBAC to facilitate access to admin Azure AD (portal). It must be done via AAD built-in or custom roles.

    It is also not possible to assign AAD custom or built-in roles to groups created / sync'd from on-prem - which is our other dilemma.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.